Getting Data In

deleted data input file directory. Then, renamed and created a new data input directory. Ran Search but no results found

qtorque95
Explorer

in Splunk Enterprise version 7.2.1, Step 1. created a data input from "Files & Folders" | "New Local File & Directory" button. For example: D:\a4. Then, ran a search query from the D:\a4 contents and return results ok.
Then, realized I mis-spelled "a4" so, deleted the data input "a4" from http://localhost:8000/en-US/manager/search/data/inputs/monitor". Next, in Windows Explorer, renamed folder form "a4" to "b4" .
And repeated Step1 and pointed to D:\b4
However, after running search on the new data input directory, get no results. Checked C:\Program Files\Splunk\etc\apps\search\local\inputs.conf . And "D:\a4" is not listed. Please help me. Thanks.

0 Karma
1 Solution

whrg
Motivator

Hello @qtorque95,

Check out How Splunk Enterprise handles log file rotation.

When you or a log rotation program moves a file then Splunk recognizes that it is the same file and does not index it again.

If you really want to index that file again, then I see two options:

Option 1: Add the following line to your inputs.conf:

crcSalt = <SOURCE>

Doing so ensures that each file has a unique CRC.

(You need to restart Splunk after making changes to configuration files.)

Option 2: You remove the indexed data. Do the following on the command line:

splunk clean eventdata -index <index_name>

This will delete the indexed data and reindex any inputs. You need to stop Splunk first before issuing this command.

View solution in original post

0 Karma

qtorque95
Explorer

Thank you @whrg, @prakash007 for your answers. What i did to solve it:
1. in Windows server, went to Control Panel --> Services.
2. Stop and start "Splunkd Service".

0 Karma

whrg
Motivator

Hello @qtorque95,

Check out How Splunk Enterprise handles log file rotation.

When you or a log rotation program moves a file then Splunk recognizes that it is the same file and does not index it again.

If you really want to index that file again, then I see two options:

Option 1: Add the following line to your inputs.conf:

crcSalt = <SOURCE>

Doing so ensures that each file has a unique CRC.

(You need to restart Splunk after making changes to configuration files.)

Option 2: You remove the indexed data. Do the following on the command line:

splunk clean eventdata -index <index_name>

This will delete the indexed data and reindex any inputs. You need to stop Splunk first before issuing this command.

0 Karma

prakash007
Builder

@qtorque95 : looks like you have Splunk-enterprise installed on your local...
1.try running this command to check the inputs status of the monitor path
$SPLUNK_HOME/bin/splunk list input status
2. if you see your monitor path from the list above, you can reset the file checkpoints(splunk might be thinking the above file as a duplicate)
https://docs.splunk.com/Documentation/Splunk/7.2.1/Troubleshooting/CommandlinetoolsforusewithSupport...
read this splunk doc on How Splunk calculates CRC..
https://docs.splunk.com/Documentation/Splunk/7.2.1/Data/Howlogfilerotationishandled
3. Stop Splunk, delete fishbucket($SPLUNK_HOME/var/lib/splunk/fishbucket), and start splunk(this will reindex all files, NOT a best solution on prod boxes)

0 Karma

qtorque95
Explorer

thank you @prakash007 . 1. Using windows command prompt, typed, " cd C:\Program files\splunk\bin\ splunk.exe list input status ". Another dos screen opens for 2 or 3 seconds, but not able to see the contents. Even tried to send results as follows: at C:\Program Files\Splunk\bin typed (shown in quotes),
"splunk.exe list input status > inputstatus.txt " to see printed results. But got " Access Denied". I don't understand as I am logged in as Administrator.
3. Using Windows Control panel | Services, I stopped "Splunkd Service". But not sure the syntax to run the "delete" fishbucket using windows command or Windows PowerShell. ( I searched for this, but success). Thank you.

0 Karma

ssadanala1
Contributor

Execute command below to reset fishbucket

.\splunk.exe cmd btprobe -d "C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db" --file

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...